Google cuts security corners to gain market share
It has been obvious for some time that Google's app standards for Android are lenient to say the least. That's why Android is the favored platform for mobile malware. But it turns out that Chrome extensions are a huge, and similar problem that I'm beginning to really worry about.
When Android phones started coming out Google had a lot of catching up to do. Back then there was a lot of mindless talk about how many tens of thousands or hundreds of thousands of apps a phone had. Obviously 200,000 apps is twice as good as 100,000, right? The way Google structured their app system for Android seems to me to be designed to maximize the number of apps by making it cheap and easy to create and distribute them. And this happens at the expense of security.
Everyone knows that lots of people jailbreak their iPhones, but if you don't your chances of installing a malicious app are pretty damn slim, near-zero I'd say. Apple tightly controls who gets into the App Store, which is the only way to get apps to users, and they do some checking. Furthermore, it costs $100/year to be a developer.
On Android it costs something like $20 to get an account to distribute apps through the Android Market, and many malicious apps have been found there. But even that trouble isn't necessary. Android embraces jailbreaking. Just go to Settings-Applications and check the "Unknown sources" box and then you can install apps from one of the many third-party app marketplaces.
There's another point about Android apps vs. iOS: Both must be digitally signed, but with iOS they're signed with Apple keys. On Android you are effectively required to use self-signing, which eliminates any authentication possibility for the signature process. (I say 'effectively' because you are required to have a 25+ year life span for the signature, and nobody can afford that kind of lifetime on a code signing certificate. As a result, the only thing the signature is good for is that Google can blacklist apps signed with it, but since self-signing is free this isn't any impediment.)
Attack by Extensions
This is old, bad news, but the other day I heard something which reminded me of it. At BlackHat a few weeks ago, Matt Johansen, a member of the WhiteHat Security's Threat Research Center, gave a presentation on hacking Google's Chrome OS. The key to hacking Chrome OS, as they did it, is to create a malicious extension. Chrome OS extensions are exactly the same as extensions for the Chrome browser. There's a Google Chrome Web Store where you can go to get more extensions (many of them very useful, like Angry Birds).
It turns out that extensions get full access to content in all tabs of the browser. This means that if you're using Gmail in Chrome (or Chrome OS) and have a malicious extension installed, the extension has access to all your mail and all your contacts. It can read them, it can write to the tab and show you fake mail, it can do anything. As Johansen said, even though those web pages may have no vulnerabilities in them, Chrome extensions make all of them fully vulnerable to cross-site scripting.
But surely you can't just put any old extension up in the market, right? The bar isn't very high. "A one-time developer registration fee of US$5.00 is required to verify your account and publish items". To test, WhiteHat Security created a test malicious app called "Malicious App" and published it in the store. As soon as they saw it was there and available to be downloaded they took it down. Point made.
The bigger point is that Google's philosophy seems to be that it's better to have a lot of market share with insecure products than lesser share with secure ones. The truth of this is becoming clear to many on Android, and now we know it too for Chrome/Chrome OS. How much longer can Google get away with this?
Larry Seltzer is a freelance writer and consultant, dealing mostly with security matters. He has written recently for Infoworld, eWEEK, Dr. Dobb's Journal, and is a Contributing Editor at PC Magazine and author of their Security Watch blog. He has also written for Symantec Authentication (formerly VeriSign) and Lumension's Intelligent Whitelisting site.